The golden question I get asked on almost a daily basis is the following:

"How secure is SharePoint, it is a Microsoft product after all, and of course Microsoft and Security don't go hand in hand."

How bizarre is that statement!! Firstly to state that Microsoft and Security don't go hand in hand is a little lame really; this shows that people do not really understand security and what Microsoft has been doing on the security front. It also seems to be a standard question asked by most organisations and of course everyone has their own views, one such view can be found here:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116929&source=rss_news

Or

http://bionewsline.net/?p=1026

So what is security then?

"Security is the condition of being protected against danger, loss, and criminals. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside. Individuals or actions that encroach upon the condition of protection are responsible for the breach of security." Wikipedia

Security has always been one of those areas that people see as a dark art. Always involves a million firewalls and security policies just in case the outside world decides that their SharePoint solution is that important that all the criminal minds in the world want to get to it. Realistically I don't think that they are but we still need to be secure and more than just the outside attacks. Most of the intellectual property that is stolen etc from organisations is done by employees who are not happy, leaving or really don't actually know that by copying that information is a security breach. I have been to organisations as a consultant where security is as strong as a password that everyone knows!! Other places I have been involved hand print scanners just to get into the building, however if it fits on a USB stick then you are sorted.

We all know that security can and is often a problem, so how does SharePoint fit into the equation?

Firstly let's think about NTFS Shared Folders. How many of you have seen an NTFS structure that is nice and secure? How many of you have looked at the permissions and noticed that people have access when they should not, or even people that have left still have accounts on the system giving them access?

Now how many of you have seen a SharePoint implementation where the sites structures are well defined, site collections are used and security is defined well using AD Groups? How many of you have seen the security get all messed up and had similar issues to the NTFS one above?

I would assume some of you would say yes to either one or both, if you have seen both then you will soon realise that the fundamental issues is the same no matter what product you may use.

So what are the issues?

I see these issues as the following:

These issues are not just SharePoint problems; they are generic across any platforms and solutions. Unfortunately due to the nature of SharePoint it is very easy for security to become a problem within any organisation. As it is a collaboration platform it is designed for freedom and sharing, however it is a secure product.

So how can you make SharePoint secure?

This is very simple but requires a lot of effort and work before the system is designed and built. The following areas need to be considered:

1. User Access (Internal)
2. User Access (External Access)
3. Non-Staff Access (External)
4. Entry and Termination Points (Internal and External)
   1. AAM (Alternate Access Mappings)
   2. SSL Termination
   3. Authentication Providers
5. Security Groups (AD) vs. SharePoint Site Groups
6. Security Administration
   1. IT
   2. Departmental
7. Security Permissions
   1. Owners
   2. Contributors
   3. Readers

I am not saying that you need to specify everything for each and every item listed above, however successful projects I have worked on, normally have this completely sorted out before they go live. The key here like any other product or solution is to get it right and make administration easier to manage. Unfortunately SharePoint gets a bad name due to bad design and implementation. This is why like in a previous post I always advocate getting a SharePoint specialist in to assist in the security design and architecture.

Remember that if you do sit in the paranoia category then you can always enhance the base SharePoint platform with other products such as Right Management or even bolt on a secure records management package such as Meridio, ViewDirect, Documentum, Hummingbird or any other records management product that works with SharePoint. If that does not work then look at using either Microsoft ISA Server 2006 or Microsoft Intelligent Application Gateway to protect inside and outside the network.

Security should not be a problem if you design it correctly. The success of security within a project should be not pinned on the product itself if it does not work the way you thought. Surely when you were deciding the product to use you would have tested this as part of the selection process. In response to the criticism of SharePoint George Johnson, chief security officer at the National Centre for Crisis and Continuity Coordination responded with the following:

"This is not the fault of the tool but rather the governance structure or the lack thereof, IT-based collaboration is very tough as it requires governance from far more. For a SharePoint implementation to be successful, IT, security, sponsor and end-user requirements must be brought into alignment. These are often either completely overlooked or abandoned once the product is initially deployed"